Tuesday, February 8, 2011

In November, AOL announced its attempt to make its e-mail service popular again by promoting its new Project Phoenix beta service. Basically, AOL Project Phoenix is supposed to give you a single site for accessing multiple e-mail accounts from different services, posting to Twitter and Facebook, texting, and instant messaging, and it offers new domains to choose from, for example @love.com instead of @aol.com.

The beta went live in late December, and those who requested invites ahead of time were given access. However, in spite of all the features that have been added, AOL seems to have forgotten the two most important features of all: security and privacy. What's wrong with this picture?

That's right; Project Phoenix provides no encryption whatsoever, except for the initial login page. I found this quite surprising and fairly disturbing since Project Phoenix was announced one month after Firesheep hit the Internet (and Phoenix went live two months after the release of Firesheep, which should have given AOL plenty of time to implement better security).

If you missed my blog post mentioning Firesheep (and if you also missed the zillions of news stories about it), it's a Firefox add-on that allows any wannabe hacker to easily log into other users' accounts who are on the same unencrypted or WEP-encrypted Wi-Fi network. This can be a significant problem if you frequently use public Wi-Fi hotspots at coffee shops, restaurants, hotels, airports, or anywhere else that uses an open (password-free) Wi-Fi access point that anyone can join—or if you have an open or WEP-encrypted Wi-Fi network at home. Firesheep has been downloaded over 1.1 million times so far. Affected sites reportedly included Facebook, Twitter, Amazon, Google, bit.ly, The New York Times, Dropbox, Evernote, Flickr, and others. Support for AOL is already in the works and has been "pending" since October 18th, although it could be fairly trivial for someone to add their own support for AOL sites; the creator of Firesheep provides step-by-step instructions for creating your own "handlers."

If AOL is indeed vulnerable to session hijacking as the Firesheep site implies, it would mean that anyone using the AOL site on a public Wi-Fi network could have their session hijacked, meaning that the attacker could read and send e-mails, instant messages, or text messages posing as the owner of that AOL account or any e-mail account connected with it. Regardless of whether AOL's site is vulnerable to session hijacking, the lack of HTTPS encryption means that the contents of your personal e-mails are sent unencrypted over the network and could be intercepted and read by malevolent third parties.

During December and January, I made at least 9 different attempts using at least 7 different methods to notify AOL about this major vulnerability in Project Phoenix. I received a reply one month ago from the AOL Privacy Team that said, in part:

AOL's commitment to security and privacy has always been one of our most important values. ... AOL currently supports SSL in the beta of AOL Mail ... and has plans to support SSL in Project Phoenix, a new version of AOL Mail in the first half of 2011 as a part of the company's ongoing efforts to offer consumers the best online experience possible.

This evening I received a mass e-mail from AOL's Senior Vice President of Marketing, Mike Maser, stating that AOL appreciated all the ideas, comments, and feedback they have received, and that "We're taking your input to heart!" That sounded hopeful, but the e-mail only listed a couple of extremely minor updates, and SSL/TLS encryption wasn't one of them. I opted back into Phoenix to test it anyway, and was disappointed to find that all e-mails and interactions with the site are still sent unencrypted, and you still can't manually add an "s" after the "http" to enable encryption.

I strongly recommend that AOL users opt out of Project Phoenix if they've already opted into it (just find and click on the "Switch to Classic Mail" link), and then always use https://beta.mail.aol.com to securely access their AOL e-mail from the Web.

As someone who knows several people who use AOL e-mail, I'm frustrated with AOL's apparent lack of concern for its users' security and privacy (in spite of its claims to the contrary). Fortunately, AOL does offer a method of accessing e-mail via HTTPS if you're lucky enough to know the secret URL above. Several of the sites supported by Firesheep also have optional HTTPS access but don't enforce it.

Here's food for thought: Google's free e-mail service, Gmail, has defaulted to HTTPS for over a year now. Why not AOL Mail, Yahoo! Mail, Windows Live Hotmail, and other e-mail providers? Why not other major sites with millions of users? Do they really care that little about their customers? Or are they really that clueless?

(Before anyone replies mistakenly claiming that SSL is expensive to implement, allow me to correct you: it's not. As for the price, an SSL certificate is easily affordable for anyone who owns a domain, and regarding computational expense, a Google engineer has stated the following about switching Gmail to SSL/TLS: "If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users. ... In order to do this we had to deploy no additional machines and no special hardware.")

The average user does not know anything about the dangers of using public Wi-Fi and has never heard of Firesheep. I strongly encourage you to take action by doing the following:

Contact the operators of sites you use—especially the high-profile sites that would be the most likely targets of Firesheep attacks—and explain the problems of not enforcing HTTPS encryption for the entire session (i.e. the whole time the user is on the site, not merely when they log in).

Encourage your friends, relatives, and local coffee shops and restaurants to enable WPA2 encryption on their networks, and offer to help them set this up. They can freely share the Wi-Fi password with anyone they wish to allow on the network; Firesheep doesn't work with WPA encryption.

Encourage your Firefox-using friends to install the latest development builds of the HTTPS-Everywhere add-on, but make sure they understand that it's not foolproof. In spite of its name, it can't enable encryption on all sites, but it adds a layer of defense by forcing encryption for a limited number of specific sites where HTTPS is normally optional. I don't recommend using HTTPS-Everywhere as your only line of defense on a public Wi-Fi network, although it might be good enough if the only Web sites you ever use are ones that the add-on supports. If browsing all sites freely without worry sounds preferable, a better option is to:

Encourage your friends to use a VPN to securely log into their home computer when they're on a public Wi-Fi network, and only browse the Web using their browser at home through the secure VPN tunnel. Most people will prefer a simple, easy VPN solution that's free or inexpensive, such as LogMeIn Free (which I haven't used personally, but appears to be a good solution) instead of using their laptop's browser when connected to an open Wi-Fi network.

UPDATE, 13 July 2011: It appears that AOL has finally begun to allows HTTPS access for the domain phoenix.aol.com, although not all parts of the page are encrypted.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

About Me

the JoshMeister

the JoshMeister (Joshua Long) is a computer security researcher from Southern California. He has a Master of Information Technology degree concentrating in Internet Security, and he has also taken doctorate-level coursework studying Business Administration and Computer and Information Security.

For more than a decade, Josh has been reporting spam, phishing scams, malicious or infected sites, and undetected malware samples to help protect others online.

To contact Josh, simply leave a comment on this site; all comments are moderated, so you can leave a private message this way. For confidentiality, you may encrypt your message with Josh's PGP key.